The present invention relates to computer software analysis and testing in general.
Computer software applications are often tested to determine whether they are vulnerable to malicious attacks or otherwise show signs of security vulnerabilities. One such type of testing known as “black-box” testing involves executing a computer software application and attacking the application using known forms of malicious attacks. When performing black-box testing on a computer software application it is important to determine which part of the computer software application is vulnerable to a particular black-box attack. This is particularly challenging when performing black-box testing on web services, such as web services that expose one or more Application Programming Interfaces (APIs) that are accessible via Hypertext Transfer Protocol (HTTP) for execution on one or more computers, where the web services are accessible via a layer of one or more Service Oriented Architecture (SOA) interceptors. For example, where a black-box attack is intended to test a particular web service API for vulnerabilities, such as a web service API that contains business logic, the attack may first have to go through several layers of SOA-related interceptors, such as those that are related to authentication, authorization, session management, etc. Thus, when a response is received to the black-box attack on a web service API, it is important to determine whether the attack indeed reached its intended target or whether the attack never made it past an intermediate web service request interceptor.